Bug ID 612954: IKEv1 log line warns proxy-support must be enabled for v1 peers to work

Last Modified: Apr 19, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:

Opened: Aug 26, 2016
Severity: 3-Major


If you disable proxy-support inside a v1 ike-peer, the config will not work because the racoon daemon cannot send proper identifying information to tmm in a GETSPI request. (The source appears to be localhost, which does not identify the peer, so no SPI can be allocated.)


IPsec tunnels for IKEv1 cannot be established when proxy-support is disabled in the racoon daemon.


In a v1 ike-peer, disable proxy-support.


Enable proxy-support in the ike-peer config definition. Note: In a v1 ike-peer, proxy-support must be enabled for a v1 peer to work. This is the default value, and should not be changed.

Fix Information

On the responder side, a logged line will say 'check IKE-PEER proxy support' in part of the message, to explains GETSPI failure, as a suggestion to fix this in the ike-peer config.

Behavior Change